BILL ANALYSIS ��
AB 1149
Page 1
Date of Hearing: April 30, 2013
ASSEMBLY COMMITTEE ON JUDICIARY
Bob Wieckowski, Chair
AB 1149 (Campos) - As Introduced: February 22, 2013
PROPOSED CONSENT
SUBJECT : DATA Security Breach Notices: Local Agencies
KEY ISSUE : Should the existing law that requires state agencies
to notify affected persons in the event of a data security
breach be extended to impose the same requirement on local
agencies?
FISCAL EFFECT : As currently in print this bill is keyed fiscal.
SYNOPSIS
This bill would extend to local agencies the same data breach
notification requirements to which state agencies are already
subject. Enacted in 2002 as an effort to better combat identity
theft in a digital age, California's landmark security breach
notification law requires both state agencies and private
businesses that own or maintain personal information (in
computerized form) to notify any person whose personal
information is compromised as a result of a data breach.
However, because the data breach notification statute falls
within the state's 1977 Information Practices Act (IPA), it does
not apply to local agencies - which were expressly exempted from
the IPA. This bill would provide that, notwithstanding that
exemption, local agencies will henceforth be subject to the same
notification requirements that presently apply to state
agencies. According to the author, local agencies often hold
the same kinds of sensitive information that are held by state
agencies and private businesses and, therefore, should be held
to the same notification requirements. There is no known
opposition to this bill.
SUMMARY : Extends to local agencies an existing statute that
requires state agencies that own or license computerized
personal data to notify any person whose personal data is
subject to a data security breach.
EXISTING LAW :
�
AB 1149
Page 2
1)Requires any state agency that owns or licenses computerized
data that includes personal information to disclose any breach
of the data to any resident of California whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. Requires any state
agency that maintains, but does not own, personal information
to notify the owner or licensor of the data of any breach.
Provides further that disclosure shall be made in the most
expedient time possible and without unreasonable delay.
(Civil Code Section 1798.29.)
2)Requires any person or business that conducts business in
California, and that owns or licenses computerized data that
includes personal information to disclose any breach of the
data to any resident of California whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. Requires any person or
business that maintains, but does not own, personal
information to notify the owner or licensor of the data of any
breach. Provides further that disclosure shall be made in the
most expedient time possible and without unreasonable delay.
(Civil Code Section 1798.82.)
3)Provides that notice required under the above provisions may
be made by written notice or electronic notice, if the latter
is consistent with federal electronic signature standards.
Provides, however, that substitute notice, as specified, may
be used if the person, business, or agency determines that the
cost of providing notice would exceed $250,000 or that the
affected class of subject persons exceeds 500,000, or the
person, business, or agency does not have sufficient contact
information. (Civil Code Sections 1798.29 (g) and 1798.82
(g).)
4)Provides that when an agency, person, or business is required
to issue a data security breach notification pursuant to the
above provisions, that notification must be written in plain
language and provide specified information, including the name
and contact information of the reporting agency, person, or
business; information about the timing and nature of the
breach; and contact information for the major credit reporting
bureaus. Specifies that the agency, person, or business may
include additional information that would be useful to the
person in taking steps to mitigate potential damages caused by
�
AB 1149
Page 3
the breach. (Civil Code Sections 1798.29 (d) and 1798.82
(d).)
5)Notwithstanding the above notice requirements, a person,
business, or agency that maintains its own notification
procedures as part of an information security policy that is
consistent with existing law shall be deemed to be in
compliance with the notification of state law if the agency,
person, or business notifies subject persons in accordance
with its own policies. (Civil Code Sections 1798.29 (h) and
1798.82 (h).)
6)Exempts local agencies from the state Information Practices
Act, of which the above provisions are a part. (Civil Code
Section 1798.3(b)(4).)
COMMENTS : Under California's data security breach notification
law, a person, business, or state agency that keeps, maintains,
or leases computerized data that contains personal information
must provide appropriate notices if personal information is
compromised as a result of a data breach. The purpose for these
notice requirements is obvious enough: when a person's personal
information is compromised there are steps that he or she can
take to mitigate the possibility that the personal information
will be misused, but a person cannot take those steps unless he
or she is first aware that the personal information has been
compromised.
Over the past few years this Committee has heard several bills
that have expanded or fine-tuned existing law. Most recently SB
24 (Chapter 197, Statutes of 2011) prescribed the contents of
the required security notices so that such notices will provide
more useful information to the victims of a security breach and
be uniform throughout the state. The existing breach
notification law consists of two parallel sections in the Civil
Code: one section applies to state agencies and another, nearly
identical, section applies to persons and businesses. However,
because the section relating to state agencies is located within
the state's Information Practices Act (IPA) of 1977, it does not
apply to local government agencies - which were expressly
exempted from the original IPA in 1985. It is not clear from
extant legislative history why local agencies were carved out of
the IPA at that time. This bill would specify that, for
purposes of the security breach notification provisions only, a
covered "agency" includes a local agency as well as a state
�
AB 1149
Page 4
agency. Local agencies, therefore, would continue to be
exempted from other provisions of the IPA, except where
otherwise provided.
For purposes of this bill, "local agency" is given the standard
definition that currently exists in Section 6252 of the
Government Code: a city; county, city and county; school
district; municipal corporation; district; political
subdivision; or any board, commission or agency thereof; other
local public agency; or entities that are legislative bodies of
a local agency.
Scope of the Problem : Partly because local agencies are not
currently subject to the breach notification law, it is
difficult to ascertain the exact scope of the problem among
local agencies. The author provided the Committee with a list
identifying a handful of breaches that have occurred at local
agencies in the past few years, ranging from at least one
hacking incident to a few law enforcement and social service
agencies that misplaced laptops containing files with personal
information. Had these breaches occurred at state agencies,
those agencies would have been required to comply with the
breach notification law. This bill is premised on the
reasonable assumption that the consequences of a data breach -
and the need for the affected person to have knowledge of the
breach and take appropriate protective steps - is the same
whether the data is held by a state agency or by a local agency.
ARGUMENTS IN SUPPORT : The author provides an admirably succinct
argument on behalf of this bill: "If state agencies and private
companies release your personal information, regardless of how
it occurs, they must notify you so you can take steps to protect
yourself against identity theft. Local agencies should be held
to the same standard. AB 1149 accomplishes this."
The Privacy Rights Clearinghouse argues that "a great deal of
highly sensitive personal information is collected and held by
local governments," yet "local governments are not required to
provide any notifications to individuals who may be the victim
of a data breach . . . The end result of this failure to notify
can be identity theft, as individuals have no other mechanism
for discovering the existence of the information." PRC believes
that this bill will fill a "major gap" in California's existing
breach notification law. Several other consumer and labor
groups support this bill for substantially the same reason.
�
AB 1149
Page 5
REGISTERED SUPPORT / OPPOSITION :
Support
ACLU
California Cable and Telecommunications Association
California Federation of Teachers
Consumer Federation of California
Privacy Rights Clearinghouse
Opposition
None on file
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334